Further Update – Telstra ‘Smart Controls’ Cyber-Safety Tool

Yesterday, we stopped sale of a cyber-safety tool (named ‘Smart Controls’) in response to your concerns about the process that we had been employing in collecting data to support the launch of the product. To reassure our customers about what this process had involved, we published a post outlining the background to the development of this product. In response to this post, a number of our customers have contacted us with further, specific questions about this process.

These questions were legitimate and well informed and we thought that all our customers would benefit from hearing the answers. A lot of these questions related to how and what information was passed on to our supplier for this product.

We understand that there are a lot of misperceptions about this at present, so I’ve set out the process under which information was provided to our supplier in detail below.

The first thing to know is that at no time was a customer’s browsing history or ‘clickstream’ provided to the suppliers of this product. As we’ve set out in more detail below, the only information that was provided to the supplier of this product was target website addresses without any information to link these target website addresses to a customer, or even any other websites visited by the customer, or any information provided by the customer.

When you type or click on an internet address (URL), a number of things are sent as part of your request to retrieve the website. This includes the URL (eg http://exchange.telstra.com.au) and your separate IP address – effectively your computer or mobile’s personal address on the internet.

It is important to understand that before any URLs were provided to our supplier, all variable information contained in a URL was ‘stripped out’ and only the base or ‘root’ URL (the URL address) was provided to our supplier. In fact, at no time was information linking the URL address to any customer provided to our supplier. Only the URL address without any variables or other information from the internet site was stored in the Telstra or Netsweeper databases.

As the internet is constantly evolving, with new websites being added every minute, a cyber safety product such as Smart Control will only be effective if it is continually updating its database of website classifications. As such, to develop this product, a process was needed that quickly identified new websites, then assessed them and classified them to enable customers’ preferences to work as accurately as possible. This is why Netsweeper was used. Netsweeper already maintains an extensive database of the classification of website addresses and is used by companies around the world for this purpose.

As part of developing this cyber safety product, Telstra began comparing websites requested by its mobile customers against a list of known websites in a Telstra database housed in Australia to see if it was already classified and within the specified lifetime of the classification (anywhere from 12 hours to 30 days depending on the site). If a site was already classified, as were the majority of sites on the internet, no further action was taken.

If the Telstra database did not recognise the website, usually because the website had only recently been created, the URL was sent to the Netsweeper database (either in the US or Canada) to see if it had a classification for the website. If the website had been classified in the Netsweeper database this information was sent back to the Telstra database and no further action was taken. If the Netsweeper database didn’t recognise the URL address, the site was accessed and then assessed for classification and sent back to the Netsweeper and Telstra databases. The databases are used solely for the purposes of enabling websites to be classified to give customers the opportunity to opt into a service that would allow them to manage what sites can be accessed on their device

The process in its most basic form is outlined in the diagram below.

In response to your concerns, we’ve talked about this process with the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman, the Australian Communications Consumer Action Network as well as talking to our community through this forum and one on one with individual customers. We are committed to being transparent about how we use the personal information customers entrust to us, and we apologise for any confusion or concern this has caused – we’ll keep working with you to clarify any further points of concern you might raise.

The Author

Mr Anthony Goonan is responsible for Telstra’s long term network technology roadmap and associated investment plan.
Anthony is a graduate of Sydney University with a Bachelor of Science in Pure Mathematics and Bachelor of Electrical Engineering with Honours. Anthony also possesses a Graduate Diploma in Education. He is a Governor on the Electrical and Information Engineering Foundation Board of Sydney University.
Joining Telstra as a cadet engineer in 1982, Anthony has more than twenty-five experience deploying first, second, third and now fourth generation mobile networks. Anthony was also responsible for the design, deployment and operations of Telstra's mobile networks provided for the Sydney 2000 Olympic and Paralympic Games – the first ever “mobile” Olympics. He has held senior management positions in mobile planning, product and device development & verification, infrastructure deployment and network operations.
Anthony has been appointed in his current role encompassing long term planning activities associated with Telstra’s fixed and wireless connectivity since October 2010.
Anthony is well acquainted with the industry, customer and community benefits and issues which come with fast evolving technology development and deployment.